ICMP errors to IPSECed data?

[Markku Savela <msa@anise.tte.vtt.fi>]

In my implementation I have done the receive IPSEC processing "in
place" (replacing crypted data with clear data) before passing it to
the upper layer (TCP/UDP). Now it just occurs to me, that this is a
potential security leak if the upper layer generates ICMP (such as
port unreachable) and copies the received packet to the ICMP
(especially in IPv6, where much more of the packet is copied).

It is possible to have a policy that requires protection for specific
UDP/port combo, and a different policy for ICMPs (like no encryption).

Just wandering how this is actually solved by others?

 - keep the original packet untouched (and have require upper layers
   to be aware of this and have them use the original packet in their
   ICMP replies) [Not very tempting, as I don't like duplicating the
   buffer space requirement just for possible error situation]

 - have some "marker" on the packet, which stops the copying for such
   ICMP messages,

 - require that the policy writer is aware of such potential "leak"
   and specifies proper IPSEC for ICMP too [but, you could have high
   security on UDP(port=x) and some lower security for UDP(port=y),
   which one you specify for a possible ICMP]

 - should ICMP error messages actually get the security from a policy
   that matches the returned packet they are trying to report?
   [e.g. instead of matching ICMP to the selectors, match the
   contained packet instead (feels a bit complex and kludgy)]

Has this issue been discussed?

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

---

• Prev by Date: Re: New XAUTH draft
• Next by Date: RE: New XAUTH draft
• Prev by thread: WWW based IPSec/IKE interoperability test sites
• Next by thread: ICMP errors to IPSECed data?
• Index(es):
  • Main
  • Thread